Our cyber watchlist for 2023: emerging themes

Top of the list: Emerging concerns around ‘systemic’ risk

Cyberspace is exceedingly and increasingly complex, containing millions of interdependencies, and a huge challenge for the cyber insurance market is understanding and quantifying the risk of a ‘systemic’ event that impacts a huge proportion of their client base at once.

This type of event is classed as a ‘systemic risk’ and, in the cyber domain, usually results from the existence of a single point of failure in a key piece of software used across businesses, governments and society that could cause a major national or global impact.

Impact can appear in many ways, for example a cyber-attack on one of the world’s largest cloud service providers would have broad financial, social, and political effects, and could create insurmountable costs for the cyber insurance and reinsurance industry.

The industry has faced incidents that point to a degree of systemic risk. For example, Log4j, a piece of software embedded across millions of consumer devices, contained a significant vulnerability that prompted investment from businesses globally to rapidly patch their systems. SolarWinds is another example of a serious vulnerability that crossed national boundaries and resulted in sensitive data being released from governments and core technology providers such as Microsoft.

From an economic and social point of view, there are few examples of a more damaging systemic cyber risk than that posed by WannaCry and NotPetya, which exploited the lack of investment in updating IT infrastructure and appropriate risk management. WannaCry, whilst global in impact, managed to take vital healthcare services offline in the UK’s NHS and cost millions in remediation. NotPetya, on the other hand, cost global businesses, including Maersk and Merck, an estimated USD10 billion in total to restore their operations.

For businesses, as cyber supply chains grow, it is increasingly critical that there is a clear understanding of the risks posed by ‘one to many’ service providers, who often give rise to systemic risk events.

In our recent report, The Cyber Arms Race, we provide guidance, based upon best practices and our experiences with large clients, that can help to ensure organisations can accurately assess and manage their exposure to systemic risks.

Other themes to watch

The Russian invasion of Ukraine

We’re watching closely the progress of the Russian invasion of Ukraine as the dynamics of the conflict in that theatre can have outsized effects on the tactics, techniques and procedures of ransomware (and other) threat actors. Cyber methods can be used offensively and defensively by both sides in a way which is non-attributable, meaning that the likelihood of attacks being carried out against international targets is heightened.

On the opposite side of the coin the grinding war has meant that mobilisation in both countries has significantly depleted the pool of talent used by threat actors - recent communications leaks from the Russian threat group Conti corroborate that this is having an effect on operational capability. As it stands, it’s unclear which dynamic will have a greater impact on our client base this year.

Web 3.0 and cryptocurrencies

The volatile fortunes of web 3.0, and cryptocurrencies in particular, are also likely to have an impact on the types of attacks that will affect large clients this year. This volatility is the equivalent of ‘foreign exchange’ risk for threat groups which demand ransoms in cryptocurrencies such as bitcoin, and the more this market fluctuates the greater the impetus for them to diversify into other areas.

We’ve seen a marked uptick in Business Email Compromise losses where traditional fiat currency is diverted into a third bank account as a result of a spear phishing attack against a finance team or member of senior leadership: as the payment is often in US dollars (or some other stable, real-world currency) this crypto risk is significantly reduced.

We are also closely watching whether there is likely to be an increase in ransom payments through privacy coins such as Monero, which are significantly harder to trace.

AI and ChatGPT

The advent of ChatGPT has generated concerns for us around the weaponisation of Artificial Intelligence. Although this is likely a longer term trend, the technology from OpenAI has demonstrated that this kind of chatbot - which would be classed as ‘narrow AI’, as it performs very specific functions and has no general sentience - can still be realistic and conversational enough to pass the Turing Test and fool a human into thinking it’s having a conversation with a real person. If this kind of technology was weaponised by threat groups, it could rapidly complicate attempts to train users on spotting and reporting (spear-)phishing attempts.

Could your colleagues spot a potential Business Email Compromise attack if they had exchanged nine emails with an attacker who spoke perfect English, and had access to everything which was publicly known about your organisation?

'Zero trust' models

The continuation of the move by more mature clients to ‘zero trust’ models will test the assessment questions and approaches of major insurance markets. Micro-segmentation at this level can be extremely difficult to explain and communicate, particularly in organisations where this is deployed in some areas and not others.

The ability to eloquently describe and evidence a zero trust architecture could unlock significant premium and coverage advantages in the longer term with underwriters who understand and embrace its benefits, but could butt up against a very established question set which is geared towards more traditional infrastructural models.